2020 was a disaster, but the pandemic put security in the spotlight

Let’s preface this year’s predictions by acknowledging and admitting how hilariously wrong we were when this time last year we said that 2020 “showed promise.”

In fairness (almost) nobody saw a pandemic coming.

With 2020 wrapping up, much of the security headaches exposed by the pandemic will linger into the new year.

The pandemic is, and remains, a global disaster of epic proportions that’s forced billions of people into lockdown, left economies in tatters with companies (including startups) struggling to stay afloat. The mass shifting of people working from home brought security challenges with it, like how to protect your workforce when employees are working outside the security perimeter of their offices. But it’s forced us to find and solve solutions to some of the most complex challenges, like pulling off a secure election and securing the supply chain for the vaccines that will bring our lives back to some semblance of normality.

With 2020 wrapping up, much of the security headaches exposed by the pandemic will linger into the new year. This is what to expect.

Working from home has given hackers new avenues for attacks

The sudden lockdowns in March drove millions to work from home. But hackers quickly found new and interesting ways to target big companies by targeting the employees themselves. VPNs were a big target because of outstanding vulnerabilities that many companies didn’t bother to fix. Bugs in enterprise software left corporate networks open to attack. The flood of personal devices logging onto the network — and the influx of malware with it — introduced fresh havoc.

Sophos says that this mass decentralizing of the workforce has turned us all into our own IT departments. We have to patch our own computers, install security updates, and there’s no IT just down the hallway to ask if that’s a phishing email.

Companies are having to adjust to the cybersecurity challenges, since working from home is probably here to stay. Managed service providers, or outsourced IT departments, have a “huge opportunity to benefit from the work-from-home shift,” said Grayson Milbourne, security intelligence director at cybersecurity firm Webroot.

Ransomware has become more targeted and more difficult to escape

File-encrypting malware, or ransomware, is getting craftier and sneakier. Where traditional ransomware would encrypt and hold a victim’s files hostage in exchange for a ransom payout, the newer and more advanced strains first steal a victim’s files, encrypt the network and then threaten to publish the stolen files if the ransom isn’t paid.

This data-stealing ransomware makes escaping an attack far more difficult because a victim can’t just restore their systems from a backup (if there is one). CrowdStrike’s chief technology officer Michael Sentonas calls this new wave of ransomware “double extortion” because victims are forced to respond to the data breach as well.

The healthcare sector is under the closest guard because of the pandemic. Despite promises from some (but not all) ransomware groups that hospitals would not be deliberately targeted during the pandemic, medical practices were far from immune. 2020 saw several high profile attacks. A ransomware attack at Universal Health Services, one of the largest healthcare providers in the U.S., caused widespread disruption to its systems. Just last month U.S. Fertility confirmed a ransomware attack on its network.

These high-profile incidents are becoming more common because hackers are targeting their victims very carefully. These hyperfocused attacks require a lot more skill and effort but improve the hackers’ odds of landing a larger ransom — in some cases earning the hackers millions of dollars from a single attack.

“This coming year, these sophisticated cyberattacks will put enormous stress on the availability of services — in everything from rerouted healthcare services impacting patient care, to availability of online and mobile banking and finance platforms,” said Sentonas.

The pushback against facial recognition will gain momentum

2020 saw the biggest rebuke of facial recognition to date. It started in January when The New York Times did the big reveal on the shadowy surveillance startup Clearview AI.

The facial recognition startup let its users match a person’s face against a vast database of three billion photos, scraped without permission from public photos on social media sites. Clearview AI’s use by mostly government agencies and law enforcement (though rarely officially sanctioned), but also by some private companies, sparked outrage and prompted the social media firms to file cease and desist letters.

Rights groups have long said that facial recognition is flawed and disproportionately misidentifies people and communities of color, and others say it’s a violation of a person’s privacy.

Then came the bans, city by city, one by one, that swept across the U.S., forcing many police departments and public agencies to stop using facial recognition. Most recently Massachusetts lawmakers voted to ban the state’s public agencies from using facial recognition — the first statewide effort of its kind.

We can expect more municipalities, cities and states to pick up legislation limiting the public use of the controversial tech. Wider legislation is also anticipated to provide stronger protections for their citizens’ biometric data, just like the Biometric Information Privacy Act in Illinois, under which Facebook settled for $550 million in January for violating.

State-backed hackers will rear their ugly heads again

It’s been a busy year for state-backed espionage, driven in part by efforts to access and steal coronavirus vaccine research and spy on the U.S. presidential election, but also the usual slew of espionage activity, from targeting security conferences to broad attacks that saw hundreds of tech companies, game makers, universities and think tanks fall victim to state-backed cyber thieves.

But nothing quite compared to the attack discovered in December that saw FireEye, one of the largest cybersecurity companies, hacked along with several U.S. government departments, thanks to a sophisticated and stealthy supply chain attack at SolarWinds, a software firm that provides IT management tech to — you guessed it — major enterprise customers like FireEye and the U.S. government. The breach lasted months and was only discovered in December. Hackers backed by Russia’s foreign intelligence service known to sneak into networks to steal information built a backdoor into SolarWinds’ technology, allowing them to break into as many as 18,000 customer networks — most of which are Fortune 500 companies. Details are still emerging and likely will for some time.

FireEye said, admittedly before disclosing the attack on its systems, that it anticipates these kinds of espionage-driven attacks to not only continue but to increase, with an eye on trying to learn about policies and workings of the incoming administration.

These hacking groups are known as advanced persistent threats — or APTs — for their high level of skills and resources. “Major nation-state threat actors continuing efforts in 2021 will include Russia, China, Iran and North Korea. These countries are significant sponsors of threat activity, both regionally and globally. Beyond that, we’re seeing an uptick in activity from Vietnam and South Asia,” said FireEye.

As feds lobby for encryption-busting tools, a return to crypto wars?

You might’ve thought the government had better things to do this year than worry about breaking into locked and encrypted phones of criminal suspects, a problem that experts say largely doesn’t exist.

But the outgoing Trump administration has spent much of its final year in office aggressively pursuing its anti-encryption agenda, including calling for tech companies to build backdoors into their products and services — even if it means Americans should accept the security risks involved (they shouldn’t). It’s also introduced two bills that, if passed, would compel companies to turn over encrypted data with a warrant. The bill is expected to fail now that Congress is in a lame-duck session.

But security experts have said for years — decades even — that there is no way to build a secure backdoor without also risking hackers exploiting them. If anything good can come from the SolarWinds attack, it’s to drill home this very point.

Trump is just the latest in the ongoing efforts by successive U.S. administrations to weaken encryption, ostensibly to keep Americans safe from criminals — even if the end result would be disastrous for cybersecurity. But Biden’s voting history on encryption and security matters will hardly have privacy advocates jumping for joy. Biden has historically voted in favor of the government having powers to access encrypted data, even going as far to introduce legislation that included deep anti-encryption sentiments.

But a lot’s happened since the 1990s, helped by government leaks and disclosures that revealed the scope of the U.S. government’s surveillance apparatus that sparked outrage, which went on to change the law. Biden may be expected to take a softer approach on encryption, but rights groups and privacy advocates aren’t likely to let their guard down any time soon.